Happy Birthday WannaCry

Microsoft is warning that the Internet could see another exploit with the magnitude of the WannaCry attack that shut down computers all over the world two years ago unless people patch a high-severity vulnerability. The software maker took the unusual step of backporting the just-released patch for Windows 2003 and XP, which haven’t been supported in four and five years, respectively.

“Exploitation of the vulnerability, as described in the advisory, would simply require someone to send specific packets over the network to a vulnerable system that has the RDP service available,” Brian Bartholomew, a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team, told Ars in an email. “In the past, exploits for this service have been pretty easy to craft once the patch is reversed. My best guess is that someone will release an exploit for this in the next few days.”

A different security company, CyberX, analyzed traffic from 850 operational technology systems, which are used to manage factory production lines, gas monitoring, and other types of industrial operations. Researchers found that 53 percent of them run unsupported versions of Windows, many of which are likely affected by the just-patched vulnerability.The lack of upgrading stems from the difficulty of taking computers offline in mission-critical environments that operate continuously. Phil Neray, VP of industrial cybersecurity at Boston-based CyberX said a stop-gap measure for these companies is implementing compensating controls such as network segmentation and continuous network monitoring.

WannaCry and NotPetya, two of the most devastating cyber attacks of all time, have at least two things in common: 1) both were able to spread quickly around the world in hours; and 2) and effortlessly spread beyond IT assets into OT devices. They also occurred within a few weeks of each other. Yes, we’re about the celebrate the birthday of yet another devastating attack.

Network segmentation solutions have had there share of issues when it comes to deployment, especially internal political and technical challenges –see the Zero Trust Paradox. Complexity behind the firewall has escalated to such an extent that security innovation on a macro-scale is almost impossible without transforming the TCP/IP stack. That’s the old news: network segmentation pain.

With OT/IT convergence attacks like WannaCry and NotPetya have a massive global attack surface of interconnected IIoT things that have the potential for catastrophic effects:

Tod Beardsley, director of research at security firm Rapid7, said an alternate Internet scanner, BinaryEdge, shows there are an estimated 16 million endpoints exposed to the Internet on TCP ports 3389 and 3388, which are typically reserved for RDP. – Ars Technica

Traditional firewall and segmentation solutions were not architected to protect massively converged infrastructures of IoT, IIoT and IT systems. They were created in a different era of security with very different challenges. As a result the defense in depth stack has become complex and expensive. Yet innovation outside what we used to call the perimeter continues to gather increasing levels of sophistication, from cryptocurrency ransomware to aaS delivery models.

Recent CyberX research indicates that more than half of industrial sites run unsupported Windows machines, making them potentially vulnerable. There’s not much opportunity to test the impact of a patch on those types of systems, much less to interrupt operations to install them.

That applies to health care systems, too, where the process of updating critical software could interrupt patient care. Other businesses run specialized software that’s incompatible with more recent Windows releases; practically speaking, they’re trapped on XP. And while the best way to protect yourself from this latest vulnerability—and the countless others that now plague unsupported operating systems—is to upgrade to the latest version of Windows, cash-strapped businesses tend to prioritize other needs. – Brian Barrett

The net result: millions of devises running XP won’t be able to be patched (in time or perhaps never) and the traditional security stack is already overtaxed by stack fatigue.